Step 1
Open IAM roles
In AWS Console, open IAM, then Roles, then Create role.
Start from IAM roles, not users or access keys.
AWS Console / IAM / Roles
1Roles
2Create role
3Trusted entity type
Create one dedicated IAM role with an external ID. CloudCostIQ uses that role to read Cost Explorer, billing, CUR metadata, and account context for recurring savings reviews.
In AWS Console, open IAM, then Roles, then Create role.
Select AWS account as the trusted entity. Use the CloudCostIQ AWS account ID shown in your dashboard connection form.
Create or attach the CloudCostIQ billing policy shown below. It grants billing and Cost Explorer read access only.
Name the role CloudCostIQBillingReadOnly, review the trust relationship and policy, then create the role.
Return to CloudCostIQ, open Cloud Data, choose AWS, paste the Role ARN and External ID, then run Test, save, and backfill.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{cloudcostiqAccountId}:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "{externalIdFromCloudCostIQ}"
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudCostIQBillingReadOnly",
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetCostForecast",
"ce:GetDimensionValues",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetSavingsPlansCoverage",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetSavingsPlansUtilization",
"ce:GetTags",
"cur:DescribeReportDefinitions",
"organizations:DescribeAccount",
"organizations:ListAccounts"
],
"Resource": "*"
}
]
}